Operational risk

Semantics bedevils risk management. What do we mean by the terms we so often use? And do we mean the same thing? The first question for the participants in this roundtable was – what do we mean by operational risk?

It quickly emerged that there is a dividing line between financial services companies, like banks, and other businesses. Financial institutions must use the risk definitions supplied by regulations, like Basel II, while businesses that are not subject to the same type of prescription have flexibility in how they define types of risk. The most appropriate definitions may be ones that they devise themselves to take account of their individual circumstances.

Indeed, there was an argument that organisations could avoid categorising risks altogether if they use enterprise wide risk management (ERM). ERM, it was said, allows an organisation to group and manage its risks in whatever way it finds useful, for example by functional headings, like IT, supply chain or property.

Transparency and communication emerged as critical components of risk management. With large companies operating in different sectors and many different countries, you cannot otherwise see how an action in one part of the business could affect other elements. There was a general view that organisations need someone in a senior position with an enterprise-wide perspective to champion risk management, whether or not the person carries the title chief risk officer. Having board members with experience of the industry and its intrinsic risks is also valuable.

The role of internal audit and its relationship with risk management came in for discussion. They should work together with the organisation’s view of risk driving internal audit, which in turn provides independent assurance that the policies and programmes are in place and working.

The words of Donald Rumsfeld turned out to be unexpectedly appropriate when it comes to managing operational risks, for fraud and collusion and the behaviour of traders and sales reps (known unknowns) are among the most difficult to deal with and potential doomsday scenarios (unknown unknowns) among the most difficult to imagine.

Ultimately, the group felt that where possible bespoke definitions of operational risk to suit individual companies are good, but that an enterprise wide approach that concentrates on managing, instead of naming, risks is even better.